Australian Tax Office officials briefly suspended the use of Medicare cards for identification after they were sold on the Dark Web over concerns they could be used to access online MyGov tax and superannuation records.
But the decision to revoke Medicare cards was withheld by the human services minister Alan Tudge in his response to the incident, a cache of internal emails from the ATO obtained by BuzzFeed News reveal. The shadow human services minister Linda Burney said they showed the minister "failed to disclose the damning concerns" held by some officers in the ATO to the public.
The ATO's decision to suspend Medicare cards for identification purposes followed revelations that Medicare cards were being sold on the Dark Web in July 2017, raising concerns about the risk of Medicare and identification fraud. The breach has sparked a Senate inquiry, a government-initiated review, and an Australian Federal Police investigation.
The cache of internal emails reveal the agency's inner wranglings over a three-hour period between receiving media queries about their decision, and the deliberations internally that led to them revoking the Medicare cards suspension.
The sale of Medicare cards on the Dark Web caused immense concerns in government agencies about the potential for identification fraud risks. Medicare cards have in the past been used by organised crime groups to engage in identity fraud for the purposes of criminal activity.
One team within the ATO acted swiftly to remove Medicare cards from the approved list of "Document Verification Service" identification checks. After seeing the initial investigation about the breach in the Guardian, one officer wrote "I will keep you advised of developments and impact...Medicare card checks are part of the process to get a MyGov linking code to access online records for tax and superannuation."
But after media queries about the decision, the ATO moved to revoke it, due to what was described as a "break in process" where approval wasn't sought. A briefing provided to the Prime Minister's Office said that the ATO hadn't consulted with the Department of Human Services: "The consultation process was internal and conducted at the incorrect APS level. It should have been escalated for consultation and approval internally, and should have included discussion with external stakeholders (namely DHS) at the appropriate levels."
The documents also shed light on the response the ATO was due to provide to media outlets, which set out the circumstances of the changes.
But this was aborted in favour of a response from the human services minister. His subsequent response contained no information about the tax office's decision to suspend the use of Medicare cards after they were sold on the Dark Web.
Senior ATO officials were quickly preparing a release about the cancellation while the decision was simultaneously being reversed. Assistant commissioner Susie Smith wrote at 4:29pm on the day they received media requests: "I think if we are changing the advice that we will still be accepting Medicare cards, we should say so in our media response."
Ten minutes later at 4:37pm she suggested a response that read: "we can confirm that the use of Medicare cards as part of the identity verification process was temporarily halted today in error. This has been rectified and Medicare cards can now be used as part of the normal identity verification process." The response was approved by several senior ATO officials.
Smith then wrote at 4:55pm: "things are changing so we will send to your contacts but not to journalist and await whole of govt response."
At 4:56pm deputy commissioner David Diment wrote that a deputy secretary of DHS had advised him that "there will be one response from Govt so we have ours on hold".
At 5:01pm Smith wrote: "So that you know in case you are asked the ATO did have a response prepared but will not use it."
When the minister finally issued his response, it held no reference to the ATO's previous advice or to their prepared response. Tudge's response said: "I’ve had assurances from the Australian Tax Office and the attorney general’s department that Medicare cards will continue to be accepted as proof of identification through the document verification service."
When asked on Wednesday about the difference between the ATO's response and his own response, a spokeswoman for the minister's office said: "Subsequent to the suspension being lifted, the minister for human services provided a response which confirmed that Medicare cards would continue to be accepted as proof of identification through the Document Verification Service. All information provided in this response was accurate."
The shadow human services minister Linda Burney said: "Minister Tudge has failed to disclose the damning concerns the ATO had about the integrity of Medicare cards as a valid form of identification to the Australian people."
“These documents show that the ATO was particularly concerned of the risk of identity fraud, especially given the events unfolded during tax time.
“The minister didn’t know about the initial Medicare data breach until it was reported in the news."
In the Department of Human Services' submission to the Senate inquiry, it declined to outline any of what it knows of the breach. The submission said: "On 4 July 2017, media outlets reported that a Dark Web vendor was illegally selling Medicare card numbers.
"The incident was subsequently referred to the AFP who have commenced an investigation. The department understands that investigation to be ongoing. It would be inappropriate to comment on the specific matters subject to the ongoing AFP investigation."